Integrated: 8321974: Crash in ciKlass::is_subtype_of because TypeAryPtr::_klass is not initialized

Tobias Hartmann thartmann at openjdk.org
Thu Dec 14 07:25:53 UTC 2023 

On Wed, 13 Dec 2023 11:57:42 GMT, Tobias Hartmann <thartmann at openjdk.org> wrote:

> [JDK-8297933](https://bugs.openjdk.org/browse/JDK-8320292) added code that relies on lazy initialization of the `TypeAryPtr::_klass` field. However, there are cases when the field is not yet initialized, leading to a null pointer dereference at C2 compilation time.
> 
> In the failing case we process a CmpP:
> 
>  116  Phi  === 109 160 57  [[ 120 128 128 ]]  #long[int:1..2] (java/lang/Cloneable,java/io/Serializable):NotNull:exact * !jvms: TestSimple::test @ bci:11 (line 32)
>   10  Parm  === 3  [[ 173 143 128 40 120 128 94 72 83 ]] Parm0: long[int:>=0] (java/lang/Cloneable,java/io/Serializable):exact * !jvms: TestSimple::test @ bci:-1 (line 29)
>  120  CmpP  === _ 10 116  [[ 121 ]]  !jvms: TestSimple::test @ bci:13 (line 32)
> 
> `CmpPNode::sub` performs a subtype check to check if the klasses of its two operands are unrelated. We crash in `ciKlass::is_subtype_of` because the `TypeAryPtr::_klass` field is not initialized ( `= nullptr`) for the `116 Phi` operand.
> 
> The issue only reproduces with release builds because [additional verification code](https://github.com/openjdk/jdk/blob/21cda19d05b688148f023f6d92778b5da210b709/src/hotspot/share/opto/type.cpp#L996-L1007) in `Type::meet_helper` in debug builds calls `klass()` which leads to eager initialization of the `_klass` field. When disabling the verification code, the issue also reproduces with debug builds and we hit the `this_one->_klass != nullptr && other->_klass != nullptr` assert in `TypePtr::is_same_java_type_as_helper_for_array`.
> 
> The fix is to always use the `klass()` method for accesses which makes sure that the field is properly initialized since the overhead is negligible. The patch also includes some unrelated removal of dead code in `TypeAryPtr::compute_klass` (after [JDK-8297933](https://bugs.openjdk.org/browse/JDK-8320292), the verify argument is always false).
> 
> Thanks,
> Tobias

This pull request has now been integrated.

Changeset: c8ad7b7f
Author:    Tobias Hartmann <thartmann at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/c8ad7b7f84ead3f850f034e1db6335bbbac41589
Stats:     89 lines in 3 files changed: 54 ins; 22 del; 13 mod

8321974: Crash in ciKlass::is_subtype_of because TypeAryPtr::_klass is not initialized

Reviewed-by: roland, kvn

-------------

PR: https://git.openjdk.org/jdk/pull/17085

More information about the hotspot-compiler-dev mailing list